Missing Superfetch and Prefetch Files?
Have you noticed missing Superfetch or Prefetch data when analyzing Windows volumes? There are some legitimate reasons for not seeing Superfetch and Prefetch data.
The most common reason would be that the suspect was running Windows on an SSD. Superfetch and Prefetch are designed to help mitigate the slower application load times of platter HDDs, but the faster SSDs typically negate the need for these Windows services. The Windows Experience Index determines whether or not there is a need for Superfetch to be enabled on the system.
In a recent test case, we examined a Windows Boot Camp image taken from a MacBook Air with an SSD. In BlackLight, it was seen that there were some Superfetch files, but they all had date and timestamps from the time of the Windows installation. Presumably, the reason for this is that Superfetch initially ran but was then deemed unnecessary with the SSD.
Of course, it’s also a possibility that the suspect chose to manually disable the Superfetch and Prefetch services, and/or delete the related files.
Have further questions about working with Windows images, or other aspects of digital forensics? Feel free to reach out to the BlackBag training team for assistance.
Latest posts by BlackBag Training Team (see all)
- Why Acquire T2 Macs with MacQuisition? - September 29, 2019
- MacQuisition: Taking Away the Guess Work - September 10, 2019
- A Present From Santa (APFS): Providing APFS support to The Sleuth Kit® Framework - December 19, 2018